British communications company TalkTalk Telecom Group PLC has experienced a serious data breach with the alleged hackers behind the hack demanding a ransom in Bitcoin.

The breaches (there were remarkably three over 8 months) were first disclosed Friday and are believed to involve data for some 4 million customers, including credit card and bank account information.

If that’s not bad enough, the company is accused of hiding the fact that the data was stolen, and is reported to have only confessed to it after customers reported being targeted by scammers using the stolen data, including one man who is said to have nearly fell victim to a “very convincing scam” before TalkTalk’s announcement.

In that case the perpetrators hijacked the victims internet connection and then telephoned him pretending to be from TalkTalk support, and were able to cite TalkTalk details such as name, address, phone number and TalkTalk account number.

If that’s not bad enough, remarkably it is believed that a significant portion of the data stolen was not encrypted, giving the hackers even easier access to user details.

TalkTalk said in its official statement that they had acted on Friday against the hack, but potentially too little, too late:

We shut down the website and we’ve been working with leading cybercrime specialists and the Metropolitan Police Cyber Crime Unit to establish exactly what happened and whether any of your individual information has been accessed. We emailed every customer directly and will write to those who we were unable to email. We’ve now restored most services and we’re working to bring My Account back online.

Bitcoin

Krebs on Security reports that the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.

The main problem it seems both for TalkTalk and investigators is it currently appears that multiple hacker collectives have claimed responsibility for the hack, including one described as a “Russian Islamist group.”

Whoever actually hacked the company may be moot at this point as data from the hack is already being offered for sale on the Darkweb.

Krebs also shines light on how the hack may have taken place:

According to my source, the intrusion started with an attack technique known as SQL injection (SQLi), a method which abuses a misconfiguration in a database that causes the database to cough up or dump information. The source said the SQLi attack was punctuated by a denial-of-service attack that sought to prevent legitimate users from visiting the targeted site, and that the debilitating assault may have been launched to distract from the database hack.

It probably goes without saying that if you are a TalkTalk customer in the United Kingdom you urgently need to change your credit card and banking account details.

Image credit: markhillary/Flickr/CC by 2.0